Firewall Rules - Correct Ordering??



  • I read the Definitive Guide, and googled loads before asking what must be a very very basic question. But I'm just not sure how to determine how to order the firewall rules. I probably just need to be pointed toward a good, basic website or resource that explains it well. Here's a screengrab of my Public Hotspot firewall rules. It's on its own subnet ( 168.192.2.x ) I especially don't know where to put the !LAN rule. If I put it last, the hotspot loses connection to the web. I clearly don't have my head wrapped around this one.  Any help / advice is appreciated.



  • If you put the "Pass everything except LAN" rule below the "block 80" and "block 443" rule, then it makes sense that access to the Web would not go out.  The "block 80" and "block 443" rules would be evaluated first.

    I'm a beginner with this, but I think you're overcomplicating this big time with more rules than needed.  The Public Hotspot is on a separate interface than your LAN right?  So it should be blocked by default…



  • The rules are processed in order from top down, the first match wins. So put all the explicit block rules first, and the general pass rule to !LAN at the bottom. Anything else to LAN will fall past that and into the hands of the unseen default block all rule.


  • LAYER 8 Global Moderator

    " If I put it last, the hotspot loses connection to the web. "

    Well no shit your blocking the web with your 80 and 443 rules.

    I would really just delete all those rules and start over ;)

    What ip address and network is opt1, and we can make sure users can not access pfsense for webgui,ssh, etc. but I would think you would want them to use pfsense for dns?

    As stated rules go from top to bottom, with an unseen deny all.  If there are ports you don't want your hotspot users to access they would be above the allow rule you have to create.

    Keep in mind unless your using a proxy you kind of have to let out 80 and 443 if you want users to access the internet, 53 as well unless they are using pfsense for dns or an explicit proxy.

    As to blocking users to go to specific netblocks like your first 2 rules - if they are using a proxy those rules are meaningless ;)

    with the rules 192.168.2.1/24 that says pfsense - are you trying to block pfsense on the lan?  If so your NOT lan rule would cover all of that.  If that is the specific IP its called out wrong, from the address its a host address, but you list a mask which is not how it would show up in the rules if set to host.  A network would be 192.168.2.0/24  so confused to what these rules are actually set to for destination?

    Blocking access to pfsense wan address?  How does that block modem config access?  Lets start over - that is just a mess ;)

    If you tell us what you would like to prevent, we can write up the rules and walk through them.



  • @johnpoz:

    …What ip address and network is opt1, and we can make sure users can not access pfsense for webgui,ssh, etc. but I would think you would want them to use pfsense for dns?

    with the rules 192.168.2.1/24 that says pfsense - are you trying to block pfsense on the lan?  If so your NOT lan rule would cover all of that.  If that is the specific IP its called out wrong, from the address its a host address, but you list a mask which is not how it would show up in the rules if set to host.  A network would be 192.168.2.0/24  so confused to what these rules are actually set to for destination?

    If you tell us what you would like to prevent, we can write up the rules and walk through them.

    There's just one cable internet WAN, and
    opt1 (totally open public hotspot) is 192.168.2.1
    lan (my home network) is 192.168.1.1

    I want to prevent opt1 from accessing my cable modem ( 192.168.100.1 ) and, of course my pfsense box (which sounds like is already done once I fix this mess that is my firewall rule set.) And, of course, I want to make absolutely sure that opt1 cannot access anything on my lan. It sounds like I should block all that netbios stuff, unless you tell me it's already taken care of.

    I haven't added anything to the lan rules other than the default settings, so let me know if I should add anything there, like blocking netbios, etc.

    Thanks for the help so far!



  • All your private subnets (LAN, OPT1, cable modem) are contained within 192.168.0.0/16 - so one easy way to secure it all is to put rules in order on OPT1 like this:
    a) Those pfBlocker rules, which are put there automagically by your pfBlocker settings.
    b) Block, source any port any, destination 192.168.0.0/16 port any - keep them out of your private networks, and including the pfSense webGUI on the various interfaces.
    c) Blocks for destination ports you don't want people going out to, and whatever other stuff you want to block
    d) Pass, source OPT1net port any, destination any port any - allow everything else

    Then if you add more subnets in the future within 192.168 they are already blocked from OPT1.



  • Unless DNS is being used by somewhere else, maybe good to also allow tcp/udp 53 to LAN address.



  • Thanks Phil Davis; That makes sense to me – I'll have to try that when I have time.

    @Finger79:

    Unless DNS is being used by somewhere else, maybe good to also allow tcp/udp 53 to LAN address.

    Sorry, that's way over my head - what does this rule look like? It goes under LAN rules, I'm guessing. Is this to help prevent dns spoofing on a compromised local machine?



  • Finger79 is right, I forgot about the fact that the pfSense is likely providing DNS for clients on the hotspot OPT1, so that is the one genuine thing that your general hotspot users will need to talk to on the pfSense OPT1 interface.
    After (a) and before (b) in my suggested rules list, put a rule:
    Pass, IPv4, Protocol TCP+UDP, Source OPT1net, port any, Destination OPT1 address, port DNS (53)



  • Thanks Phil! (and Finger, and John) I've attached my revised Firewall Rules. They successfully block my pfsense config, cable modem config, and prevent access from opt1 to lan subnet. Seems to allow access to the net. See anything that doesn't smell right? Gosh I can't tell you how helpful this forum is!




  • Looks great!  If you want (optional), you can combine all three NetBIOS rules into just one rule by just doing a destination port range 137-139.


Log in to reply